Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 12:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll
-
Size
120KB
-
MD5
5126662a2aad02c1bdbab148c5c167b0
-
SHA1
bfa728f3c23576976f39d893d9f048c527ad1ac4
-
SHA256
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517
-
SHA512
21901436ddf77b1518550526e5e54db0ebb28334340449ddf96d05cb18ae5aae7a23c28a5adb461f860248db9bc080d6d613c98f6b841667fb3850e9a8ef8622
-
SSDEEP
3072:rZGVctUQQidOnJzpWcdilfyqAGouM/dIGfJg:UV5idQYZXAly
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e426.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e426.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a78a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e426.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e426.exe -
Executes dropped EXE 4 IoCs
pid Process 636 e57a44e.exe 3772 e57a78a.exe 3508 e57e3d8.exe 1440 e57e426.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a44e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e426.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e426.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e426.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a44e.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a44e.exe File opened (read-only) \??\G: e57a44e.exe File opened (read-only) \??\H: e57a44e.exe File opened (read-only) \??\I: e57a44e.exe File opened (read-only) \??\E: e57e426.exe -
resource yara_rule behavioral2/memory/636-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-17-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-16-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-18-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-19-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-20-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-41-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-43-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-45-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-67-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-68-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/636-72-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3772-106-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-98-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-97-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-95-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-94-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-93-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-90-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-96-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-92-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3772-126-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57a4eb e57a44e.exe File opened for modification C:\Windows\SYSTEM.INI e57a44e.exe File created C:\Windows\e57f627 e57a78a.exe File created C:\Windows\e581e9f e57e426.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a44e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a78a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e3d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e426.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 636 e57a44e.exe 636 e57a44e.exe 636 e57a44e.exe 636 e57a44e.exe 3772 e57a78a.exe 3772 e57a78a.exe 1440 e57e426.exe 1440 e57e426.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe Token: SeDebugPrivilege 636 e57a44e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 4012 4684 rundll32.exe 82 PID 4684 wrote to memory of 4012 4684 rundll32.exe 82 PID 4684 wrote to memory of 4012 4684 rundll32.exe 82 PID 4012 wrote to memory of 636 4012 rundll32.exe 83 PID 4012 wrote to memory of 636 4012 rundll32.exe 83 PID 4012 wrote to memory of 636 4012 rundll32.exe 83 PID 636 wrote to memory of 792 636 e57a44e.exe 8 PID 636 wrote to memory of 796 636 e57a44e.exe 9 PID 636 wrote to memory of 396 636 e57a44e.exe 13 PID 636 wrote to memory of 2640 636 e57a44e.exe 44 PID 636 wrote to memory of 2684 636 e57a44e.exe 45 PID 636 wrote to memory of 2876 636 e57a44e.exe 51 PID 636 wrote to memory of 3424 636 e57a44e.exe 55 PID 636 wrote to memory of 3608 636 e57a44e.exe 57 PID 636 wrote to memory of 3796 636 e57a44e.exe 58 PID 636 wrote to memory of 3896 636 e57a44e.exe 59 PID 636 wrote to memory of 3964 636 e57a44e.exe 60 PID 636 wrote to memory of 4068 636 e57a44e.exe 61 PID 636 wrote to memory of 3420 636 e57a44e.exe 62 PID 636 wrote to memory of 1484 636 e57a44e.exe 64 PID 636 wrote to memory of 60 636 e57a44e.exe 75 PID 636 wrote to memory of 4684 636 e57a44e.exe 81 PID 636 wrote to memory of 4012 636 e57a44e.exe 82 PID 636 wrote to memory of 4012 636 e57a44e.exe 82 PID 4012 wrote to memory of 3772 4012 rundll32.exe 84 PID 4012 wrote to memory of 3772 4012 rundll32.exe 84 PID 4012 wrote to memory of 3772 4012 rundll32.exe 84 PID 636 wrote to memory of 792 636 e57a44e.exe 8 PID 636 wrote to memory of 796 636 e57a44e.exe 9 PID 636 wrote to memory of 396 636 e57a44e.exe 13 PID 636 wrote to memory of 2640 636 e57a44e.exe 44 PID 636 wrote to memory of 2684 636 e57a44e.exe 45 PID 636 wrote to memory of 2876 636 e57a44e.exe 51 PID 636 wrote to memory of 3424 636 e57a44e.exe 55 PID 636 wrote to memory of 3608 636 e57a44e.exe 57 PID 636 wrote to memory of 3796 636 e57a44e.exe 58 PID 636 wrote to memory of 3896 636 e57a44e.exe 59 PID 636 wrote to memory of 3964 636 e57a44e.exe 60 PID 636 wrote to memory of 4068 636 e57a44e.exe 61 PID 636 wrote to memory of 3420 636 e57a44e.exe 62 PID 636 wrote to memory of 1484 636 e57a44e.exe 64 PID 636 wrote to memory of 60 636 e57a44e.exe 75 PID 636 wrote to memory of 4684 636 e57a44e.exe 81 PID 636 wrote to memory of 3772 636 e57a44e.exe 84 PID 636 wrote to memory of 3772 636 e57a44e.exe 84 PID 4012 wrote to memory of 3508 4012 rundll32.exe 85 PID 4012 wrote to memory of 3508 4012 rundll32.exe 85 PID 4012 wrote to memory of 3508 4012 rundll32.exe 85 PID 4012 wrote to memory of 1440 4012 rundll32.exe 86 PID 4012 wrote to memory of 1440 4012 rundll32.exe 86 PID 4012 wrote to memory of 1440 4012 rundll32.exe 86 PID 3772 wrote to memory of 792 3772 e57a78a.exe 8 PID 3772 wrote to memory of 796 3772 e57a78a.exe 9 PID 3772 wrote to memory of 396 3772 e57a78a.exe 13 PID 3772 wrote to memory of 2640 3772 e57a78a.exe 44 PID 3772 wrote to memory of 2684 3772 e57a78a.exe 45 PID 3772 wrote to memory of 2876 3772 e57a78a.exe 51 PID 3772 wrote to memory of 3424 3772 e57a78a.exe 55 PID 3772 wrote to memory of 3608 3772 e57a78a.exe 57 PID 3772 wrote to memory of 3796 3772 e57a78a.exe 58 PID 3772 wrote to memory of 3896 3772 e57a78a.exe 59 PID 3772 wrote to memory of 3964 3772 e57a78a.exe 60 PID 3772 wrote to memory of 4068 3772 e57a78a.exe 61 PID 3772 wrote to memory of 3420 3772 e57a78a.exe 62 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a44e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e426.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:396
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2684
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2876
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\e57a44e.exeC:\Users\Admin\AppData\Local\Temp\e57a44e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\e57a78a.exeC:\Users\Admin\AppData\Local\Temp\e57a78a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\e57e3d8.exeC:\Users\Admin\AppData\Local\Temp\e57e3d8.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\e57e426.exeC:\Users\Admin\AppData\Local\Temp\e57e426.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1440
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3420
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1484
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:60
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e82c0bc4b02fe0566f2fdf964128d3cd
SHA164795d872674d114804b25e6d6a8abb3ca76ae16
SHA25698c2e56af08d2f2283128e46942b3c9c956b29f18876bdcf54880f1a9b0c87e0
SHA512b9718b89a13f8750609248bcda0b46d30e44d1977c3f7f31373f836f9f4bae46beb8046232089880c93033c69f4e4d7613c0b6e91a7b46412380e5812dc801fe
-
Filesize
257B
MD5fdb96f416279700e70dcb5e04a323152
SHA143710ce69d0caaea9d607b7e2616d17c9f91770a
SHA256c20d5db1ff5ae358287748a282e4b652f7f0ef2ee6384a268796bdd65149ee91
SHA51284fffe56a1490c68f8bb4ca17c91c5259be34c61f991afa5e45ca1b2334d459956ce3dbbe5443eac3c48436ca4807945e6fe323046dd43438f65ee8882fd7864